Social Networking Site Safety Questioned

An anonymous reader writes to mention a TechNewsWorld article about social networking sites. Researchers are finding these places are goldmines for social engineering exercises. Between worm attacks and simple human observation, sites like MySpace are the perfect place to obtain saleable personal information. From the article: "The danger is real, according to a study conducted by CA and the National Cyber Security Alliance (NCSA). In October, the alliance issued its first social networking study examining the link between specific online behaviors and the potential for becoming a victim of cybercrime. Despite all the publicity about sexual predators on sites like MySpace and FaceBook, the alliance took a different approach by measuring the potential for threats such as fraud, identity theft, computer spyware and viruses. Although 57 percent of people who use social networking sites admit to worrying about becoming a victim of cybercrime, they are still divulging information that may put them at risk, as Boyd suggested. Social networkers are also downloading unknown files from other people's profiles, and responding to unsolicited instant messages that could contain worms, the NCSA reported."

it holds true for myspace

[User 956]

Researchers are finding these places are goldmines for social engineering exercises.

Yeah, well you know what you have wherever there's a goldmine. Gold diggers.

Re:

[tehwebguy]

Local White Pages Safety Questioned

Aren't your local White Pages more dangerous by default? I mean those are opt-OUT, while MySpace is opt-IN

Re:

[Thansal]

Yes but the white pages do not tell you:
1) What I look like
2) My ethnicity
3) My age
4) My interests
5) My apparent level of intelegence
6) My buying habits
7) How I react to different situations

Heck, the white pages tell you my name, number, and where I live (white pages do have address, right? I have never bothered looking in them as I livei n NYC and it is an exorcise in futility)

Re:

[WhyDoYouWantToKnow]

No.

True, the white pages are an opt-out system. All you have to do when you sign up for new phone service is ask for an unlisted number; some operators will give you the option during the call. If you choose to have your number listed, while it will be available through directory assistance, your number will not be listed in the local white pages until the new book is published. Even then, with the local white pages your number is only seen locally.

With MySpace, your information is instantaneously av

Re:

[mdwh2]

With MySpace, your information is instantaneously available to not just your local weirdos but weirdos nation and world-wide.

If you choose to put it out there - you don't have to put your address and phone number on. I don't see why posting on MySpace is inherently more risky than posting on Slashdot.

Another problem with MySpace, people can create accounts for you and post information about you and you may be completely unawares.

This is true of everywhere on the Internet. Maybe someone could post all your

Re:

[WhyDoYouWantToKnow]

You're right. Posting to MySpace is no more or less risky than posting to /., the risk comes from what information you choose to post. The reason I specified MySpace is because it was mentioned in the summery and article.

Fix the ohter end?

[zotz]

Should the other end be fixed? Why should it be possible to steal someone's identity with the simple personal details people make available online?

all the best,

drew

Re:Fix the ohter end?

[eln]

I think the problem is with MySpace's default layout. I mean seriously, doesn't this sidebar information just invite abuse?

General:
Music:
Mother's Maiden Name:
Movies:
Television:
Social Security Number:
Books:
Heroes:

Re:

[D4rk Fx]

I think the problem is with MySpace's default layout. I mean seriously, doesn't this sidebar information just invite abuse?

The Layout was recently updated to include this seemingly generic and useless information:

Favorite Color:
First Pet's Name:
Date of Birth:
City where you were born:
Drivers License Number:
Credit Card Numbers and Expiration dates:
Your Password:

Re:

[garcia]

Should the other end be fixed? Why should it be possible to steal someone's identity with the simple personal details people make available online?

You have the wrong "other end" identified. The "other end" that needs to be fixed is the human creating the profile. People should not be entering data that can be used against them (birth date, sex, full name, etc).

"If someone tells you to jump off the Empire State Building, would you do it?" Just because the form asks for your personal info does it mean you

Re:

[tcopeland]

> People should not be entering data that can be used against them

Or they should use a system that lets them display only the appropriate profile details for each group or person or whatever - like indi [getindi.com].

Re:

[Viper Daimao]

I believe facebook has security like this too.

Re:

[WilliamSChips]

It does.

Re:

[derF024]

You have the wrong "other end" identified. The "other end" that needs to be fixed is the human creating the profile. People should not be entering data that can be used against them (birth date, sex, full name, etc).

Ah, yes, people revealing incredibly personal details like their name is the problem. Phone books must scare the crap out of you.

No, the problem has nothing to do with myspace or any other directory of names, the problem is that it's trivially easy to do things (like getting a credit card or a

Re:

[garcia]

Ah, yes, people revealing incredibly personal details like their name is the problem. Phone books must scare the crap out of you.

I suggest you read my signature.

Re:

[zotz]

"No, the problem has nothing to do with myspace or any other directory of names, the problem is that it's trivially easy to do things (like getting a credit card or a bank loan) pretending that you're someone else."

Bingo, and yet you are liable. My take is that the whole thing comes down to laziness and a desire for convenience on the part of businessmen.

Well, plus, this thread shows how many want to blame the public for the results of an insecure system.

I should be able to put out all my personal details a

Re:

[A.Gideon]

I should be able to put out all my personal details and still no one should be able to do business as me using that info. Now, why is that not possible?

You know the answer: because some of that information is used to verify that you are you.

If we used (for example) public keys for identification, then it would be foolish to send someone your private key. And I guarantee: some people would do that on request.

If we used biometrics for identification., then it would be foolish to send someone your genome. An

Re:

[zotz]

"You know the answer: because some of that information is used to verify that you are you."

But it obviously doesn't verify that I am me as others can use it to pretend to be me. That is a large part of my point.

Let me put it another way, if you use this info to do business with "me" and it turns out not to be me at all, the risk should be entirely yours.

all the best,

drew

Re:

[WhyDoYouWantToKnow]

I wonder if people should have backup identities

Hi, my identity was recently stolen so for today I'm going to be... Bob. I'm a middle aged career... actuary? Actuary, is that right? Okay. I have... three kids and a mortgage that's 2 months overdue. But I didn't buy that house, this is just my backup identity. Wait, what do you mean there's a warrant out for my arrest. I've never even been to Georgia.

Ex-fricking-actly

[SatanicPuppy]

Why is this such a big issue? Because we don't currently have a reliable way of verifying identity. Until that basic problem is fixed, there is no way to fix the identity theft issue.

Of course, the only really reliable way of proving identity is some kind of private key crypto backed up by high-end biometrics (eg, retinal scan, or dna), and the odds of something like that being implemented are hilariously low, for about a million reasons.

At the very least there needs to be some sort of private ID that is us

Yeah, why is this just now an issue?

[Peter Trepan]

The phone book has my full name, address, and phone number. The kind of information MySpace asks for can be obtained by meeting me briefly in person and acting friendly. Is putting this information online really qualitatively different from the regular act of walking around and meeting people?

Re:

[Jonnty]

Because this stuff can be easily harvested en masse - the probability of you stumbling upon an ID fraudster on your travels and accidentally divulging information to him is much smaller than him finding it nicely categorised on a social networking site.

the answer to this is so simple...

[CheechBG]

Just make your damn profile private! If you are naive enough to think that everyone in the world wants to read your profile, you are probably too naive to understand that everyone's intentions sometimes aren't friendly.

One of our HR people just to prove a point attempted to look at my profile, and then sent me a friend request which I denied for that reason. Making a definitive wall between work and whatever it is that I do at home is very important.

Re:

[WhyDoYouWantToKnow]

Just make your damn profile private!

Perhaps I'm being trite but wouldn't that fall into the same category as "Don't put that information up there in the first place"?

Consider that you're telling people to make their profile private when they were naive (dumb) enough to publish their personal info for everyone to see to begin with.

Re:

[jinxidoru]

...wouldn't that fall into the same category as "Don't put that information up there in the first place"?

No. Making your profile, or particular data private is not the same as not putting the information there in the first place. While I may want my friends to know what my calendar holds, I probably don't want perfect strangers to know. Therefore, I put the data as private. That way my friends know and others don't. It makes perfect sense to me.

Re:

[WhyDoYouWantToKnow]

Allowing you personal friends to view your calendar is quite a bit different than posting you home address, phone number, the names of your children, pictures of your children, etc for everyone to see. I would assume that your personal friends already know these things about you, already know what your children look like and probably don't need to see your latest 250 image homage to "Our Trip to Chuck E. Cheese".

The problem isn't that people aren't making their profiles private, the problem is people are

"Slashdot" is not Facebook's target audience

[Valacosa]

...already know what your children look like and probably don't need to see your latest 250 image homage to "Our Trip to Chuck E. Cheese".

The mention of children leads me to believe you are not a university student.

I take a lot of pictures. A lot of pictures. As in, I've taken 12 gigabytes of photographs since March 2006. And every time I'm at a party or barbeque or Frosh Week or some audition, taking pictures as I'm wont to do, people always say the same thing. "You're going to put these pictures on F

Re:

[A.Gideon]

The mention of children leads me to believe you are not a university student.

The claim that people aren't interested in the pictures rather preclude that poster from being a parent too. We parents all know just how deperately the world awaits our next couple of Gig of pictures (and video!). And when I take pictures at various events (ie. a school field trip), all the parents want to see the pictures.

On the other hand, Facebook is far too limited. My "alumni" account from grad school has long since aged a

Re:

[Plutonite]

One of our HR people just to prove a point attempted to look at my profile, and then sent me a friend request which I denied for that reason.

That's the funniest thing I read all week. What do you mean you denied him..your HR staff want to be your friend! Don't be such an ass. Besides, you don't want him to report to your boss saying that he sent you a friend request on Myspace and you declined. Oh wait, maybe you do.

Re:

[Jonnty]

I think the social networking sites should make it as hard as possible or even disallowed for things like phone numbers and addresses to be public, even if the rest of your egotistical drivel is.

In other news

[timeOday]

Never leave home and you'll never catch a cold or get run over by a car. Join the fight against leaving home now!

Re:

[7macaw]

Yes! And don't eat tomatoes! Everyone who eats tomatoes, dies!

Re:

[kfg]

Never leave home and you'll never catch a cold . . .

Nooooooooooow ya tell me!

Actually, I think, in a bit of irony, I caught this one from the UPS man the last time he handed me a crate of Kleenex through the basement window, 'cause I don't remember leaving home lately. I'll have to wear gloves and soak them in Vodka for a week before handling them next time.

In a bit of further irony today I had intended to be far away from anywhere with a net connection, or people, but I couldn't leave home, becasue I have

of course

[jrwr00]

Its a meeting place for all the morons on the interweb (as called by a few of my friends)

Myspace, hi5, bebo, is just to name a few i see around here in job corps,

ever wonder why AOL Userers got the most phising emails, because most AOL users where morons

Newsflash: People are STILL stupid.

[R2.0]

In shocking news today, it was revealed that human stupidity is not relieved by the internet, but is actually exascerbated by it. News at 11:00!

Re:

[too_old_to_be_irate]

Yep. Presumably includes exacerbating awful spelling, too...

Re:

[StikyPad]

The word "exascerbated," aside from containing one s too many, has about as much chance of showing up in a teaser as the less asexual word with which it rhymes. Also, was your teaser in the form of a question? Keep readnig to find out!

Re:

[Adambomb]

You've got red on you.

Re:

[owlnation]

Some people are actually astonishingly stupid. The Internet is simply a reflection of this, not the cause.

I used to work for a large multinational company. Occasionally customers would be asked to prove their identity for certain services. For this, they would be asked to send/fax in photocopies of documents proving their identity. Which is of course normal practice for many companies.

Regularly, and I mean at least one a week, people would send in things like their passports. Not copies, their actual

Re:

[The Benefactor]

As an aside to this I once saw a copy of a passport cover which was sent in as a "copy of their passport" Which kind of proves your point.

Obviously

[Elentari]

They're bound to be havens for social engineers. Those sites are full of people who are usually fairly young, almost guaranteed to click on any link they're sent - especially if from a "friend" on the site - and entirely uninterested in the workings of computers, or the internet.

People don't find these sites anymore. They go online specifically to accumulate profiles, with no knowledge of what they're doing. Of course it's going to go horribly wrong.

Nosey sites

[Threni]

Part of the problem is sites asking for identifying info when you sign up, including passwords, email addresses, real addresses sometimes, or postcodes/zipcodes, dates of birth etc? Why? None of this stuff has anything to do with what I post on Slashdot, my opinions on music, films, games. Having it stored on the site owners server does nothing to aid my attempts to get answers to technical problems on usenet or forums. And I'm not entirely sure it can be said to help reduce trolls and other problems th

Re:

[Threni]

> To register requires an email (to confirm that the email is your own, and to help users in case their account information is
> compromised and they cannot log in) and a date of birth (COPPA requirements).

Why do I need to `confirm that the email is my own`? Why not just let me create a user name and password so I can log in in future. Messages could be sent to an account on the site, and not email. I don't want any more email, thanks - I get all the email I desire from friends, family and work. You

This...just in!

[PingSpike]

Another recent study said that walking down dark alleys while jiggling your car keys and waving a wad of cash around may increase the likelyhood of muggings.

Automated Privacy Rights

[Doc Ruby]

Best practices to protect personal data like IDs should be consistently supported in software if most people are to practice them.

I'm really annoyed every time I have to type my name/address/email into a Web form. How many times have I typed that info in the past 10 years of the Web? Why can't forms include either Javascript or even standardized APIs for requesting the same personal info? In increasing scopes with simple descriptive names. So I don't have to let my info sit cached at so many remote servers with which I do intermittent business, any one of which can leak my info at any time.

I want to see a Web GUI show submittable form sections tagged by their target org. I'd like to subscribe to a service that rates forms by their risk, demonstrated by proven vulnerabilities in distributed reporting databases (or whatever my selected advisor uses to decide its ratings). Many people would pay for such a service to advise how much info to disclose to a given recipient. And many organizations would pay to make using them free, like insurance and bank corps, not to mention governments with insight into the preventive value of informing consumers of disclosure risks, without slowing down acceptable transactions.

People can protect ourselves even more than with just tech fixes. We have the right to privacy in our "papers and effects" [wikipedia.org]: our personal data. We produce a government to protect that privacy. We should specify how they protect it, like requiring all disclosed personal data to be redistributed only within the context of the transaction into which it was delivered, unless explicitly agreed otherwise by the sender. Maybe even a Constitutional Amendment, to make more clear the privacy rights implicit in the Constitution, explicit in the 4th Amendment, but still not protected enough for adequate security in the modern age.

Easy Sum:

[Penguinisto]

Yes, Virginia, there is a such thing as "Ignorant People Who Will Click On Anything Others Send Them"

/P

Re:

[StikyPad]

but it was from my bff! :(((

On the other hand,

[Peter Trepan]

Socializing at a bar puts you at greater risk of physical harm. Socializing at a church puts you at greater risk of personal judgment. Socializing at a coffee shop puts you at greater risk of cardiac arrhythmia. Socializing at a restaurant puts you at greater risk of clogged arteries. Not socializing puts you at greater risk of dying alone.

Re:

[presentt]

I agree. I think there is a difference between caution and paranoia. As long as you aren't stupid, and don't make available information such as credit card numbers, social security numbers, and so forth, I don't see much wrong with posting basic demographics like age, sex, and even locations. It's the type of information that can be obtained by someone who wants it, anyways, and can potentially add to the sense of the online "community." I don't have a MySpace, but I do have a Facebook profile. I keep

Poison the Well

[99BottlesOfBeerInMyF]

So spammers and marketers and others are data mining social networking sites. Great, I think it is the duty of each of us to go create a fake site with a fake name and link to a few other people. Heck we can even get creative and talk about "favorite" products. Maybe I'll accidentally post the number of a local law firm claiming it is my home number :)

Teach internet responsibility in school

[businessnerd]

I think a great way to combat issues like this is to start teaching safe browsing in school. We are already teaching them how to use the computer and how to find information over the internet, but are they teaching them how to use the technology responsibly. When I learned how to use a computer in school, we learned what bugs and viruses were, but they weren't as widespread then, so there was no lesson on how you might get a virus, how to prevent getting that virus, and if you do get a virus, how do you repair your machine. This was also before spyware was understood as well as phishing and identity theft. We all saw the movie "The Net", but no one really thought that could happen to them, and could only be pulled off by some elite hacker out to get you, and only you.

We need to teach the kids that not everyone on the internet is your friend. Not everyone on the internet is who they say they are. You can protect yourself from malware by using safe browsing behavior (don't click OK at every message that pops up, smiley face add-ons are not so smiley). Never give out personal information on the internet unless you are absolutely positive that the person you are giving it to is in fact who they say they are, and there is a legitimate reason for it. This means no SSN, phone number, credit card/bank numbers, address, etc.

Like I said earlier, when I was in school, all of this was not really a concern, so I'm not sure if schools are actually teaching this kind of stuff.

Re:

[Jerf]

To make your curriculum more palatable to schools and more likely to be taught, some simple changes make it even more useful and applicable:

We need to teach the kids that not everyone is your friend, period. Not everyone is who they say they are, period. Never give out personal information, period, unless you are absolutely positive that the person you are giving it to is in fact who they say they are, and there is a legitimate reason for it. This means no SSN, phone number, credit card/bank numbers, addre

Re:

[photomonkey]

I agree that this information needs to be taught at a very early age. School would be a great place to teach and reinforce good browsing habits and behaviors. However, I would endeavor to guess that most schoolteachers are not themselves 'up-to-speed' on the latest exploits and tricks.

Despite it being fairly available at the time (mid-late 90's), my house didn't have internet access until I was a junior or senior in high school. Why? My dad didn't know enough about it beyond the basics of his business

Re:

[businessnerd]

I agree that most schoolteachers are not very savvy when it comes to good internet habits, let alone computers themselves, but my hopes at least are that the technology/computer teachers at least have a good understanding of this. They don't need to be up to date on the latest and greatest Windows or IE exploit, but they should be able to understand viruses and spyware, phishing, identity theft, and what social engineering is. The reason I say teachers and not parents should teach this sort of thing is be

Re:

[NineNine]

How to spot a "noob": Poster cannot write grammatically correct, coherent, English sentences.

Without these sites, Chris Hanson is unemployed

[fatnicky]

How many social researchers salivate when they hear "Hi, I'm Chris Hanson with Dateline NBC".

The industry alone should be salivating, for all the pedo-rific jaw dropping action that goes on in a pedo bust.

Without myspace or any of these, what kind of pedos would we watch get busted on Friday night.

There's only so much Michael Jackson to go around.

If you'll excuse me, I just met a 19 (12) year old kid and am going to drive 300 miles away to meet them. (And yes, I always have protection, erotica, booze, and

Brilliant!

[evil_Tak]

So...places where lots of social networking occurs are good places for social engineering?!

Next you'll be telling me that places with lots of water, fish food, and fish habitat are good places to go fishing!

Re:

[StikyPad]

Dave, is that you?

For the last time, there is NO FISHING in my aquarium.

Re:

[account_deleted]

Comment removed based on user account deletion